On 20/06/2026 15:19, Adrian Bunk wrote:
On Sat, Jun 20, 2026 at 02:29:25AM +0200, Lee Garrett wrote:
...
[ Tests ]
Upstream has stellar CI tests, they add new tests for every bug they
fix. The tests also pass when running against Debian via autopkgtest. On
top of that, I manually tested my playbooks against my servers to check
for any regressions.
[ Risks ]
The changes are upstream bugfix releases with accompanying tests.
...
How has the CVE been reproduced and the fix been tested?
You can run the test manually by commenting out the unrelated failing part of
the test:
$ PYTHONPATH=./test/lib/ ansible-test integration ansible-galaxy-role
WARNING: Using locale "C.UTF-8" instead of "en_US.UTF-8". Tests which depend on
the locale may behave unexpectedly.
Running ansible-galaxy-role integration test role
PLAY [testhost] ****************************************************************
TASK [Gathering Facts] *********************************************************
ok: [testhost]
TASK [setup_remote_tmp_dir : make sure we have the ansible_os_family and
ansible_distribution_version facts] ***
skipping: [testhost]
TASK [setup_remote_tmp_dir : include_tasks] ************************************
included:
/workspaces/ansible-core/test/results/.tmp/integration/ansible-galaxy-role-do9a_yyp-ÅÑŚÌβŁÈ/test/integration/targets/setup_remote_tmp_dir/tasks/default.yml
for testhost
TASK [setup_remote_tmp_dir : create temporary directory] ***********************
changed: [testhost]
TASK [setup_remote_tmp_dir : record temporary directory] ***********************
ok: [testhost]
TASK [ansible-galaxy-role : Create invalid requirements file] ******************
changed: [testhost]
TASK [ansible-galaxy-role : Attempt to install invalid role requirements] ******
changed: [testhost]
TASK [ansible-galaxy-role : Validate git core.sshCommand did not run] **********
ok: [testhost]
TASK [ansible-galaxy-role : Verify the invalid field is treated as a single
positional argument (repo or dest)] ***
ok: [testhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [ansible-galaxy-role : Uninstall git if it was installed] *****************
skipping: [testhost]
RUNNING HANDLER [setup_remote_tmp_dir : delete temporary directory] ************
included:
/workspaces/ansible-core/test/results/.tmp/integration/ansible-galaxy-role-do9a_yyp-ÅÑŚÌβŁÈ/test/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml
for testhost
RUNNING HANDLER [setup_remote_tmp_dir : Ensure temporary directory has correct
perms to delete] ***
changed: [testhost]
RUNNING HANDLER [setup_remote_tmp_dir : delete temporary directory] ************
changed: [testhost]
PLAY RECAP *********************************************************************
testhost : ok=11 changed=5 unreachable=0 failed=0
skipped=2 rescued=0 ignored=0
WARNING: Reviewing previous 1 warning(s):
WARNING: Using locale "C.UTF-8" instead of "en_US.UTF-8". Tests which depend on
the locale may behave unexpectedly.
> No tests are run at build time, and the test case for the CVE is
> disabled in debci.
The integration test this test case is part of fails due to packaging issues
with setuptools, refer to:
https://github.com/ansible/ansible/issues/27105
https://github.com/pypa/setuptools/issues/415
Switching the upstream source in an stable update to fix the test issue is
overkill, so I won't do that.
The security fix itself is fairly small and targeted.
FTR, this is the CVE fix:
...
--- ansible-core-2.19.4/lib/ansible/utils/galaxy.py 2025-11-05
00:27:03.000000000 +0100
+++ ansible-core-2.19.11/lib/ansible/utils/galaxy.py 2026-06-18
21:34:02.000000000 +0200
@@ -72,7 +72,7 @@
elif scm == 'hg':
clone_cmd.append('--insecure')
- clone_cmd.extend([src, name])
+ clone_cmd.extend(['--', src, name])
run_scm_cmd(clone_cmd, tempdir)
...
cu
Adrian
Bye,
Lee
